New how-to guide allows even layman hackers to carry out attacks similar to suspected government efforts

During a presentation at Def Con 21 last month, famed Apple, Inc. (AAPL) hacker Charlie Miller (who works at Twitter) and Chris Valasek, director of security intelligence at IOActive, revealed an interesting side project. The presentation showed how to affordably attack a vehicle's CAN bus with malicious messages, causing the vehicle to brake, refuse to break, or even steer into a wall. The presentation shows how such attacks could be carried out -- even by relatively unskilled hackers.

I. CAN -- Useful, but Not Very Secure

Cars over time have grappled with increasing use of electronic control units (ECUs) and at times conflicting standards. CAN (the Controller Area Network) was an industry wide effort to simplify and improve in-car communications. While implementations vary slightly, CAN is governed by a set of published standards from the International Standards Organization (ISO) including ISO 15765-2 (ISO-TP) (sending) and ISO 14229, 14230 (receiving).

A part of a broader set of standards to make vehicle diagnosis easier (the so called On Board Diagnosis II (OBD-II) standard), CAN has been required on all light vehicles in the U.S. since 1996 and in the EU since 2001 (petrol vehicles) / 2004 (diesels). But it turns out that as the vehicles are becoming more connected and ECU count continues to rise, fundamental security flaws in the standard and its implementation in current vehicles are showing through.

There's many routes that you can use to attack the CAN bus. [Image Source: AutoSec]

Once (temporarily) installed on a target ECU these codes were capable of sudden braking, brake failure, or acceleration, via sending malicious signals to various other onboard ECUs. Amazingly, the authors found that many ECUs would even allow themselves to be reflashed (reprogrammed) while driving, with the proper CAN message encouragement.

The vehicle in these tests was rumored to be an OnStar equipped model from General Motors Comp. (GM).

However, while these kinds of claims were alarming, an open set of libraries to control CAN I/O was not available until at the time. In other words, unless you were someone with a lot of resources -- e.g. a government -- or an automotive expert with a lot of time on your hands, you likely wouldn't have the knowledge or means to do these kinds of CAN based attacks. That meant that cars enjoyed a modicum of security from your average script-writing internet hacker masses.

II. "Car Hacking for Dummies"

But that relatively safety appears to be coming to an end. Funded by a grant from the Defense Advanced Research Projects Agency Mr. Miller and Mr. Valasek have baked a set of libraries to make writing code to study CAN signals and craft attacks much easier. Dubbed EcomCat [zip], the attack library builds on the barebones ECOM API [PDF], which is distributed by EControls, a maker of CAN-interface USB devices.

The only difficulty is that EControl's ECOM can't easily plug into the ODB-II port, a CAN input commonly located near the passenger's seat. But if you have basic cable-making skills, you can fashion a connector using the ODB-II connector shell , which ODB Diagnostics, Inc. sells.

Beyond that all you need are that typical assets of an internet hacker -- basic coding knowledge, time, and a target.

With a custom ECOM-to-ODB connector built from off-the-shelf parts (left), an EControls ECOM test cable (right), and a laptop, you can test car attacks like a pro. [Image Source: Def Con]

In their work, the authors use the APIs they developed to identify and attack various control signals in a 2010 Prius from Toyota Motor Corp. (TYO:7203) and a 2010 Escape from Ford Motor Comp. (F). The authors showed how the APIs could be used to accomplish attacks similar to those the UW/UCSD team carried out on the brakes or throttle. They also demonstrated how cars with automatic parking features (e.g. the Prius) could be used to even malicious steer the vehicle, as the car can now take control of the steering wheel with the right signals (typically a driver could override this if they firmly gripped and twisted the wheel, but not all drivers would know how to respond -- particularly given the surprise of the attack).

III. Danger is Rising

Again, the key difference between the UCSD/UW effort and the recent Def Con talk is that the UCSD/UW team did not release their attack software and kept their descriptions of the attack's finer details to a higher level. By contrast the recent presentation not only comes with an open library of "helpful" attack software, but also explicit descriptions of how to buy/build an interface device and detailed examples of attacks on specific ECUs in terms even a layman with basic programming skills could understand.

Charlie Miller [Image Source: ZDNet]

With the Def Con presentation, what was once a purely academic attack is creeping closer to general use.

Thus, even if you don't buy into plausible conspiracy theories like those surrounding Mr. Hastings death, and aren't afraid of your government, you still now have something to actually worry about, since the Pandora’s box of "CAN hacking for dummies" has been open by these pro-disclosure researchers.

Soon deadly sabotage attacks may be common on older vehicles. [Image Source: Unknown]

The timing of Def Con 21 was uncanny, coming at a time when conspiracy theories regarding the death of prominent Obama and Bush administration critic and Rolling Stone contributing editor Michael Hastings were peeking. Mr. Hastings -- a medical marijuana user -- allegedly had traces of both methamphetamine and marijuana in his system when his car steered off course on a deserted Highland Avenue at around 4:20 a.m. on June 18 and struck a tree prompting the Mercedes to burst into flames.

While fiery crashes and deaths are a rare, but not altogether foreign tragedy on America's highways, the reporter's adversarial relationship with the Obama administration -- and the Obama administration's willingness to harass reporters who dig too deeply -- has fueled theories that foul play might have been involved in the crash.

Electronic hacking is one of the possible methods of sabotage that some suspect was used to kill journalist Michael Hastings. [Image Source: PrisonPlanet]

Prior to President Barack Obama's election in 2008, Brennan was working at Analysis Corp. -- one of two government contracting firms which gained unauthorized access to the then-Senator Obama's passport record. That incident has led to speculation that Mr. Hastings might have been unearthing evidence of Mr. Brennan's possible role in the access, tampering, or "sanitization" of the President's passport.

While many details of the crash added up (methamphetamine users often become dangerously paranoid) -- others provoked suspicion, including reports that Mr. Hastings was allegedly visited by federal agents on the day of his death. Former Cybersecurity Czar (formally, the U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism) Richard Clarke told The Huffington Post in an interview:

I'm not a conspiracy guy. In fact, I've spent most of my life knocking down conspiracy theories. But my rule has always been you don't knock down a conspiracy theory until you can prove it [wrong]. And in the case of Michael Hastings, what evidence is available publicly is consistent with a car cyber attack. And the problem with that is you can't prove it.

Whether or not his suspicions prove true, the fervor surrounding the topic of automotive hacking is arguably justified.

Anyone with basic skills, physical access to your car, and mischief or malice in their hearts can now attach a malicious device to your car -- or potentially even reprogram one of your onboard ECUs. When you start driving, the attacker's code will spring into effect, and if the author did their homework, it may erase any trace of itself after it accomplishes its objectives.

That's the bad news.

The good news is that once the public realizes this -- and once automakers realize that the public realizes this, the market will mandate they implement stiffer security into their CAN-connected components. Such security will help to protect drivers not only from the government, but also from the much more common malicious members of the masses.